RSS

NETS1032 Auditing & Forensics

25 Mar

Objectives

•    Collect network-based evidence.
•    Analyze Alert, statistical and session network-based evidence

Pre-lab

In order to complete the lab, you will first have to install or download the following. (Note: If you are using Ubuntu/backtrack, you can use the apt-get install command to install the following.)
At least one screenshot for each tool which has your uid in the shot.

•    Tcpdump (Kali)
•    Wireshark
•    snort (Kali)
•    tcpflow (apt-get install tcpflow)
•    xplico (apt-get install xplico) (no worries if this doesn’t work, just try it)
•    ngrep  (apt-get install ngrep)
•    Splitcap or editcap
•    hd (Kali)
•    tcpstat
•    Network Miner
•    CapTipper (show some sites visited)
•    Foremost
•    Strings
•    Tshark (find out how many packets are in the pcap using tshark)

Procedure

After reviewing Chapter 11 + slides. Collect the network-based evidence requested above. You will collect information from a file given to you from the instructor.

After doing the investigation you should be able to answer the following questions.

1.    What is the most popular port used?

2.    What are the ip addresses involved?

3.    Name at least one executable file that was transferred

4.    What did that file do?

5.    Did your IDS find anything. If yes explain what?

6.    Please re-create at least one website found and give a screenshot or show all the html for one site

7.    What attacks occurred?

8.    What applications were used for the attack?

9.    Paragraph synopsis of what you think happened based on the evidence you have accumulated

Evaluation (12 Marks)

References: http://pen-testing.sans.org/holiday-challenge/2011
https://github.com/omriher/CapTipper

 
Leave a comment

Posted by on March 25, 2017 in academic writing, Academic Writing

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: